Contrib.social

SSRF vis role name on content translation screen

Open on Drupal.org β†’
Created on 12 April 2024, over 1 year ago

Problem/Motivation

This was originally reported to the security team who decided it could be public
This issue was reported to IBM as a vulnerability in the IBM API Connect Developer Portal, however the actual vulnerability is in the underlying Drupal Core translation modules. The vulnerability allows one Drupal user with administrative permissions to create a page which can force another Drupal user to make a call to a server under the control of an attacker. I have tested this on a vanilla Drupal 10 site and the vulnerability is present there.

Steps to reproduce

1. Set up a HTTP server somewhere, this will be the target of the malicious request (I used "ncat -l -p 80 --keep-open" just to see the request come in, obviously an attacker would use a server that they control)

2. Enable the four Drupal Core modules Language, Interface Translation, Content Translation and Configuration Translation

3. Navigate to Manage->People->Roles and create a new role with a name of

">'><img src="http://127.0.0.1/evil">

4. Navigate to the roles list and from the action menu for our malicious role select "Translate"

5. Choose a language and press the add button

The browser will make a call to the malicious server -- in my example I can clearly see the request come in:

Proposed resolution

Change $value = '<span lang="' . $source_language->getId() . '">' . nl2br($source_config) . '</span>'; to render as plain text string with \Drupal\Component\Utility\Html::escape

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

πŸ› Bug report
Status

Active

Version

11.0 πŸ”₯

Component
Config translationΒ  β†’

Last updated 2 days ago

Created by

πŸ‡¦πŸ‡ΊAustralia larowlan πŸ‡¦πŸ‡ΊπŸ.au GMT+10

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @larowlan
  • Comment over 1 year ago β†’
    πŸ‡¬πŸ‡§United Kingdom MrSzymon
  • Comment over 1 year ago β†’
    πŸ‡¦πŸ‡ΊAustralia larowlan πŸ‡¦πŸ‡ΊπŸ.au GMT+10
  • Comment 5 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States akalata

    Updating steps to reproduce.

  • Comment 5 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States akalata
  • Merge request !11138Ensure that labels used in config translation are escaped β†’ (Open) created by akalata
  • Comment 5 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States akalata

    Edit issue title

  • Pipeline finished with Failed
    5 months ago
    Total: 530s
    #417184
  • Comment 5 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States akalata
  • Pipeline finished with Success
    5 months ago
    Total: 1576s
    #417231
  • Comment 5 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    The title is SSRF (server side request forgery) which I understand to mean a request from the server to other machines on the server's network as described in portswigger and owasp.

    The description includes:

    The vulnerability allows one Drupal user with administrative permissions to create a page which can force another Drupal user to make a call to a server under the control of an attacker.

    and

    The browser will make a call to the malicious server

    That is not a server-side request.

    I can see how this would let an admin gain data about the site visitors, which is not ideal, but on most sites an admin who can enter translations can probably already make other changes to a site that would also gain information about a visitor.

    I'm surprised if this is the only place where a user with only the ability to translate could insert an image. I think other strings are similarly not filtered.

  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Seems the test-only failure is passing when would expect to fail so think that needs tweaking https://git.drupalcode.org/issue/drupal-3440399/-/jobs/4273224

  • Assigned to akalata
  • Status changed to Needs work about 2 months ago
  • First commit to issue fork.
  • Pipeline finished with Failed
    about 2 months ago
    Total: 606s
    #500252
  • Pipeline finished with Failed
    about 2 months ago
    Total: 93s
    #500256
  • Pipeline finished with Success
    about 2 months ago
    Total: 352s
    #500257
  • Comment about 2 months ago β†’
    πŸ‡«πŸ‡·France prudloff Lille

    I adjusted the test to fail without the fix.

  • Comment about 2 months ago β†’
    πŸ‡¨πŸ‡­Switzerland berdir Switzerland

    this does a strip tags, that seems wrong and the escape then is pointless?

    if the source config has some HTML, you want to see that as the translation needs the same.

    It should just escape and should then also assert the escaped markup

  • Pipeline finished with Failed
    about 2 months ago
    Total: 456s
    #500862
  • Pipeline finished with Success
    about 2 months ago
    Total: 1238s
    #500888
  • Comment about 2 months ago β†’
    πŸ‡«πŸ‡·France prudloff Lille

    I removed the strip_tags() call, I think it was added in order to not break ConfigTranslationUiModulesTest.
    And I added an assertion with the escaped string (it needs to be precise because other parts of the page already contain the escaped payload in other places).

  • Comment 5 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Both tests appearing to be failing as expected

    1) Drupal\Tests\config_translation\Functional\ConfigTranslationUiModulesTest::testBooleanFieldConfigTranslation
Behat\Mink\Exception\ExpectationException: The string "On label (with &lt;em&gt;HTML&lt;/em&gt; &amp; things) Boolean settings" was not found anywhere in the HTML response of the current page.
/builds/issue/drupal-3440399/vendor/behat/mink/src/WebAssert.php:888
/builds/issue/drupal-3440399/vendor/behat/mink/src/WebAssert.php:363
/builds/issue/drupal-3440399/core/tests/Drupal/Tests/WebAssert.php:559
/builds/issue/drupal-3440399/core/modules/config_translation/tests/src/Functional/ConfigTranslationUiModulesTest.php:280
FAILURES!
Tests: 7, Assertions: 198, Failures: 1.

    New test

    1) Drupal\Tests\config_translation\Functional\ConfigTranslationUiTest::testLabelEscaping
Behat\Mink\Exception\ExpectationException: The string "<img src="http://127.0.0.1/evil">" appears in the HTML response of this page, but it should not.
/builds/issue/drupal-3440399/vendor/behat/mink/src/WebAssert.php:888
/builds/issue/drupal-3440399/vendor/behat/mink/src/WebAssert.php:380
/builds/issue/drupal-3440399/core/tests/Drupal/Tests/WebAssert.php:571
/builds/issue/drupal-3440399/core/modules/config_translation/tests/src/Functional/ConfigTranslationUiTest.php:353
FAILURES!
Tests: 9, Assertion

    Solution matches what's in the summary which seems to be written by security team.

    Believe this one is good.

  • Comment 5 days ago β†’
    πŸ‡¬πŸ‡§United Kingdom longwave UK

    Do we know why the nl2br() was originally there? Do we need to care about representing newlines in the string correctly still?

  • Comment 5 days ago β†’
    πŸ‡¬πŸ‡§United Kingdom longwave UK

    Traced this back to an issue in the original config_translation module, where nl2br() was explicitly added to fix a bug: #1945184: Original value display is broken β†’

    Therefore I think we should keep this feature? (and probably add a test for it...)

  • Pipeline finished with Success
    4 days ago
    Total: 447s
    #544535
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024